Embed Size (px)
Citation preview
1
CASE #1
System Reviews – Peer Review Planning Activities
Consider each scenario separately related to System Reviews. It is assumed that each question is separate from the previous or following question within the scenario, unless otherwise indicated. Estimated Time to Complete: 20 Minutes SCENARIO A Throughout this case, we will discuss planning a system review in general terms, including what you do as a team captain in your practice and what factors impact your decisions to do more or less on a given review. You have just accepted a new peer review client. You have arranged with the firm to be on-site for the review in approximately one month. In anticipation of the review you have begun your planning procedures. Question 1 What are the procedures you perform during your initial planning and what types of information do you request from the reviewed firm?
Solution 1 Planning the review should typically involve obtaining an understanding of the firm, including obtaining the prior review documents, inquiring about items included in the representation letter, obtaining an understanding of the nature and extent of the firms practice, obtaining an understanding of the firm system or quality control and monitoring procedures. This should all be used to assess the peer review risk and determine the offices and engagements to be selected. Note to discussion leaders: Encourage participants to discuss how they perform their planning procedures, including what inquiries they make, and if they use any tools that are not provided by the AICPA Peer Review Program or their Administering Entity. Paragraph .38a of PRP Section 1000 states “A System Review should include, but not be limited to, the following procedures:
a. Planning the review, as follows: i. Obtain the results of the prior peer review. ii. Inquire of the firm about the areas to be addressed in the written
representations. iii. Obtain a sufficient understanding of the nature and extent of the firm’s
accounting and auditing practice to plan the review. iv. Obtain a sufficient understanding of the design of the firm’s system of quality
control, including an understanding of the monitoring procedures performed since the prior review, to plan the review.
2
v. Assess peer review risk. vi. Use the knowledge obtained from the foregoing to select the offices and the
engagements to be reviewed and to determine the nature and extent of the tests to be applied in the functional areas.”
Additional guidance on planning the review is found in paragraphs .39–.63 of PRP Section 1000, and Interpretations 39-1 – 63-3 of PRP Section 2000.
Question 2 How do your planning procedures differ when you are preparing for a new peer review client versus a reoccurring one? Why?
Solution 2 There is no right or wrong answer to this question, it is for discussion purposes only. Some additional questions that could be asked to spark conversation include: 1) On which engagement would you typically have more professional skepticism? Why? 2) When reviewing the prior review documents, do you place as much reliance on
another firm’s assessment as you do your own? Why? 3) When reviewing the prior review documents, do you ever wish you’d been clearer in
the way you documented something on an FFC form or in your report? Question 3 From a practical standpoint, at what point in the peer review do you discuss the representation letter with the reviewed firm and what do you try to ascertain from this discussion?
Solution 3 The reviewer should make these inquiries when planning the review to determine if any oversights have been performed, when they were performed, the results of those oversights, and the firm’s response to any issues identified. All of this can inform the team captains risk assessment and the level of testing that needs to be performed in the peer review. Paragraph .40 of PRP Section 1000 states that “the reviewer should inquire of the firm regarding the areas to be addressed in the written representation and consider whether the areas discussed require additional emphasis in the course of the review.” Interpretation 40-1 in PRP Section 2000, states that “If the firm has undergone oversights or inspections by regulatory or governmental entities (for instance, the Department of Labor, the Department of Health and Human Services, or other local, state, or federal entities), the team captain should consider the results of those oversight reviews during planning and when determining the nature and extent of peer review procedures. The results from regulatory or governmental oversights are sources of information that should be considered within the context of peer review, as they can provide valuable information that may assist the review team in planning its procedures. However, the team captain should keep in mind that the goals of regulatory or governmental oversight may differ from the purpose of a system review, and it would be inappropriate to place reliance on regulatory or governmental oversight results. The team captain should consider and document the following factors regarding the
3
procedures and results of regulatory or governmental oversights and communications from regulatory or governmental bodies:
• The impact of regulatory or governmental oversight on the scope of the peer review. When the types of engagements subject to regulatory or governmental oversight are also within the scope of engagements that can be selected for peer review, the review team should consider how the nature, systemic cause, pattern, or pervasiveness of the oversight results impact the peer review in terms of inherent risk (for example, the firm’s demonstrated expertise in performing those types of engagements) and control risk (for example, how the system of quality control is designed to prevent issues in those types of engagements and the effectiveness of those controls based on the regulatory or governmental results), and document those considerations in the risk assessment.
If the oversight results indicate a lack of comments or only minor issues, the team captain should document the nature of the oversight results as a consideration in the risk assessment. Although a lack of comments is not necessarily indicative that the firm’s system of quality control is operating effectively for the relevant industry practice, it is a factor in assessing inherent and control risk. When the oversight results include more substantive comments, the review team should evaluate the significance of the comments relative to the applicable industry and other industries and practice areas, and consider what impact, if any, they have on the peer review scope.
If the oversight results include deficiencies or indications of engagements that were not performed or reported on in conformity with applicable professional standards in all material respects in the view of the oversight body, the team captain should understand the systemic cause(s) identified by the firm and evaluate how the firm responded to the oversight results in order to properly consider the impact on the peer review risk assessment and engagement selection. If similar matters are identified as a result of the review team’s review of engagements during the peer review, the team captain should consider whether the systemic causes identified by the firm (if any) are similar to the systemic causes identified by the review team.
• The timing of the regulatory or governmental oversight results. The team captain should consider the time period covered by the regulatory oversight results in determining their usefulness for assessing peer review risk and determining the impact (if any) on the extent of peer review procedures. When possible, the team captain should obtain the oversight results from the most recently available oversight reviews. The team captain should inquire about any open or ongoing oversight reviews, the status of those oversight reviews, and the firm’s preliminary remediation plans (if applicable).
• The firm’s responsiveness to regulatory or governmental oversight results. The team captain should consider the degree of the firm’s responsiveness to oversight findings and other communications, as evidenced by the remediation planned or taken. Remediation efforts by the firm may impact industries that are subject to peer review and can be useful in assisting the team captain with considering the design of the firm’s system of quality control or compliance with
4
it. The team captain should document this consideration in the risk assessment during the planning of the review.
• The size of the firm relative to its specialized industry practice(s). The team captain should consider the relative significance of the specialized industry practice(s) subject to regulatory oversight to the firm’s total practice in determining the relevance of the regulatory oversight results to the peer review. The team captain should document this consideration in the Summary Review Memorandum (when applicable).”
Question 4 The Peer Review standards require the team captain to obtain an understanding of the 1) nature and extent of the firm’s accounting and auditing practice, 2) design of the firm’s system of quality control, and 3) monitoring procedures performed since the prior review. What procedures do you perform to obtain these understandings?
Solution 4 The Standards, generally, do not discuss how to obtain these understandings, as such there is no right or wrong answer to this question, it is for discussion purposes to share ideas on practical application of the Standards. Additionally, obtaining these understandings inform the team captains risk assessment and the level of testing that needs to be performed in the peer review. The following are the relevant paragraphs from PRP Section 1000: Understanding the Firm’s Accounting and Auditing Practice and System of Quality Control .41 The review team should obtain a sufficient understanding of the nature and extent of
the reviewed firm’s accounting and auditing practice to plan the review. This understanding should include knowledge about the reviewed firm’s organization and philosophy, as well as the composition of its accounting and auditing practice.
.42 The review team should also obtain a sufficient understanding of the reviewed firm’s
system of quality control with respect to each of the quality control elements in SQCS No. 8 to plan the review (see interpretations). SQCS No. 8 requires every CPA firm, regardless of its size, to have a system of quality control for its accounting and auditing practice. It states that the quality control policies and procedures applicable to a professional service provided by the firm should encompass the following elements: leadership responsibilities for quality within the firm (the “tone at the top”); relevant ethical requirements (such as independence, integrity and objectivity); acceptance and continuance of client relationships and specific engagements; human resources; engagement performance; and monitoring. It also states that the nature, extent, and formality of a firm’s quality control policies and procedures should be appropriately comprehensive and suitably designed in relation to the firm’s size, the number of its offices, the degree of operating autonomy allowed its personnel and its offices, the knowledge and experience of its personnel, the nature and complexity of the firm’s practice, and appropriate cost-benefit considerations.
5
.43 The understanding obtained by the review team should include knowledge about the design of the reviewed firm’s quality control policies and procedures in accordance with quality control standards established by the AICPA and how the policies and procedures identify and mitigate risk of material noncompliance with applicable professional standards.
.44 The understanding of the firm’s accounting and auditing practice and system of
quality control is ordinarily obtained through such procedures as inquiries of appropriate management and other personnel, reviewing the firm’s internal policies and procedures, and reviewing the firm’s quality control documentation.
.45 The review team should obtain a sufficient understanding of the reviewed firm’s
monitoring policies and procedures since its last peer review and their potential effectiveness. In doing so, the review team may determine that the firm’s current year’s internal monitoring procedures could enable the review team to reduce, in a cost-beneficial manner, the number of offices and engagements selected for review or the extent of the other testing (see interpretations).
Understanding and Assessing Peer Review Risk Factors .46 Just as the performance of an audit involves audit risk, the performance of a System
Review involves peer review risk. Peer review risk is the risk that the review team: a. Fails to identify significant weaknesses in the reviewed firm’s system of quality
control for its accounting and auditing practice, its lack of compliance with that system, or a combination thereof.
b. Issues an inappropriate opinion on the reviewed firm’s system of quality control for its accounting and auditing practice, its compliance with that system, or a combination thereof.
c. Reaches an inappropriate decision about the matters to be included in, or excluded from, the report.
.47 Peer review risk consists of the following two parts:
a. The risk (consisting of inherent risk and control risk) that an engagement will not be performed or reported on in conformity with applicable professional standards in all material respects, that the reviewed firm’s system of quality control will not prevent such failure, or both.
b. The risk (detection risk) that the review team will fail to detect and report on the design or compliance deficiencies or significant deficiencies in the reviewed firm’s system of quality control.
.48 Inherent risk and control risk relate to the reviewed firm’s accounting and auditing
practice and its system of quality control. These risks may be affected by circumstances arising within the firm (for example, individual partners have engagements in numerous specialized industries or the firm has a few engagements constituting a significant portion of the firm’s accounting and auditing practice) or outside the firm (for example, new professional standards being applied for the first time or adverse economic developments in an industry).
Assessing Peer Review Risk
6
.49 In planning the review, the review team should use the understanding it has obtained of the reviewed firm’s accounting and auditing practice and its system of quality control to assess the inherent and control risks. The assessment of risks is qualitative and not quantitative. The lower the inherent and control risk, the higher the detection risk that can be tolerated and vice versa. Based on its assessment of inherent and control risk, the review team determines the acceptable level of detection risk.
.50 When assessing risk, the review team should evaluate the reviewed firm’s quality
control policies and procedures over its accounting and auditing practice in relation to the requirements contained in SQCS No. 8. This evaluation provides a basis for the review team to determine whether the reviewed firm has adopted appropriately comprehensive and suitably designed policies and procedures that are relevant to the size and nature of its practice.
Relationship of Risk to Scope .51 The review team should consider the combined assessed levels of inherent and
control risk when selecting offices and engagements to be reviewed. The higher the combined assessed levels of inherent and control risk, the higher the peer review risk. To reduce the peer review risk to an acceptable low level, the detection risk needs to be low, and thus the greater the scope (that is, the greater the number of offices that should be visited or the greater the number of engagements that should be reviewed, or both). Conversely, the lower the combined assessed levels of inherent and control risk, the smaller the scope that needs to be considered for review. The combined assessed levels of inherent and control risk may vary among offices and engagements so that the scope may be greater for some types of offices and engagements than for others.
.52 However, even when the combined assessed levels are low, the peer review team
must review some engagements to obtain reasonable assurance that the reviewed firm is complying with its quality control policies and procedures and applicable professional standards. For the review team to obtain such assurance, a reasonable cross section of the reviewed firm’s accounting and auditing engagements must be reviewed or inspected, with greater emphasis on those portions of the practice with higher combined assessed levels of inherent and control risk (see interpretations).
Interpretations 42-1 through 52-1 from PRP Section 2000 are also relevant but have not been included herein.
7
CASE #2
System Reviews – Remediation of Nonconforming Engagements
Consider each scenario separately related to System Reviews. It is assumed that each question is separate from the previous or following question within the scenario, unless otherwise indicated. Estimated Time to Complete: 20 Minutes SCENARIO A During the peer review for Bonnie & Clyde (B&C) covering the year-ended December 31, 2019, the team captain selected three of the firm’s 25 limited scope defined contribution employee benefit plan audit engagements; no other audit or accounting services were performed during the period under review. On one of the engagements selected, the firm placed reliance on a type 2 SOC1 report to reduce its sample size for substantive testing, however the workpapers did not include any support for testing the operating effectiveness of complementary user entity controls at the plan sponsor. The team captain answered “No” to question A130 (a bolded question) of the EBP checklist, communicated the issue to the firm on MFC1, and deemed the engagement as nonconforming. Question 1 Is it reasonable for the team captain to deem the engagement nonconforming?
Solution 1 Yes. According to the instructions of the EBP Checklist at PRP Section 20,700, “No” answers to bolded questions by themselves are indicative of an engagement that has not been performed or reported on in accordance with professional standards in all material respects. This does not preclude application of professional judgment, which may be necessary to determine if there is adequate support for testing relevant assertions and compliance with plan provisions or regulatory matters. Considering the above, the team captain may ultimately determine the engagement materially conforms to professional standards. However, the reviewer should provide a thorough explanation in section V, Explanation of “No” Answers and Other Comments. This is an important point to document on the checklist so that a technical reviewer, report acceptance body, or committee can evaluate the appropriateness of the reviewer’s conclusion.
Question 2 Is it appropriate for the team captain to instruct B&C to perform the omitted control testing procedures or to recall and reissue the report?
Solution 2 No, it is not appropriate for a peer reviewer or an administering entity to instruct firms to perform omitted procedures, reissue accounting or auditing reports, or have previously issued financial statements revised and reissued because those
8
are decisions for the firm and its client to make. However, according to interpretation 67-2, the administering entity can require the firm to make and document appropriate considerations regarding such engagements as a condition of acceptance of the peer review. The firm’s response may affect other monitoring actions the administering entity’s peer review committee may impose, including actions to verify that the firm adheres to the intentions indicated in its response.
Question 3 What are the firm’s responsibilities regarding the nonconforming engagement?
Solution 3 According to interpretation 67-1, the reviewed firm should investigate the issue questioned by the review team and determine what timely action, if any, should be taken, including actions planned or taken to prevent unwarranted continued reliance on its previously issued reports. The reviewed firm should then advise the team captain or review captain of the results of its investigation, including parties consulted, and document the actions planned or taken or its reasons for concluding that no action is required as follows:
• In the firm’s response to the MFC form
• In the firm’s response to the FFC form, if applicable
• In the firm’s letter of response to deficiencies and significant deficiencies identified in the report, if applicable
The firm is also expected to make a representation in its representation letter to the team captain confirming it will remediate nonconforming engagements as stated by the firm on its MFC forms, FFC forms, or letter of response, as applicable
Question 4 What are the team captain’s responsibilities regarding the nonconforming engagement identified in B&C’s peer review?
Solution 4 The peer reviewer should evaluate the firm’s actions planned or taken or its reasons for concluding that no action is required for nonconforming engagement. According to Interpretation 67-1, the team captain should remind the reviewed firm of its responsibilities under professional standards to take appropriate actions as addressed in the following professional standards, as applicable:
• AU-C section 560, Subsequent Events and Subsequently Discovered Facts (AICPA, Professional Standards)
• SSARS No. 19, Framework for Performing and Reporting on Compilation and Review Engagements (AICPA, Professional Standards, AR sec. 60, 80, and 90), or SSARS No. 21, Statements on Standards for Accounting and Review Services: Clarification and Recodification (AICPA, Professional Standards, AR-C sec. 60, 70, 80, and 90) as applicable
• AU-C section 585, Consideration of Omitted Procedures After the Report Release Date (AICPA, Professional Standards)
• The “Breach of Independence” interpretation (AICPA, Professional Standards, ET sec. 1.298.010)
9
Furthermore, according to Supplemental Guidance in PRP Section 3100, the peer reviewer should thoroughly document these situations in the Summary Review Memorandum, including whether they believe the firm’s considerations support its decision and whether a monitoring action is suggested to follow up on the remediation of the specific engagement. These peer review documents should be submitted for consideration during the peer review acceptance process. A reviewed firm’s appropriately documented considerations in response to such an engagement and documentation of the reviewer’s assessment of the reviewed firm’s response are conditions of acceptance by the peer review committee. If the firm and peer reviewer considerations are not properly performed or documented, the RAB may defer acceptance of the peer review subject to appropriate considerations or peer review documentation.
Question 5 The firm responded to the MFC as noted below. Is this a sufficient response, or should the team captain request a revised response before submitting the workpapers to the administering entity? “We agree with the matter identified by the reviewer; this was isolated to this engagement, as appropriate procedures were performed on other engagements where reliance was placed on a SOC 1 report to reduce substantive testing.”
Solution 5 The team captain should request a revised response from the firm so that it is apparent the firm has considered its responsibilities as required by professional standards. While the firm’s response indicates the failure to perform control testing procedures is limited to the single engagement, this does not indicate whether the firm has appropriately considered its professional responsibilities as described in Interpretation 67-1. The facts appear to indicate the issue is in fact isolated, however that does not provide enough evidence for the team captain to evaluate the firm’s actions planned or taken to remediate the engagement. According to Supplemental Guidance in PRP Section 3100, firms are only required to remediate as appropriate in accordance with professional standards and are not expected to recall reports or perform additional procedures in every scenario. In general, if firms can articulate their consideration of the professional standards and why the actions taken or planned are appropriate, it would not result in a tone at the top deficiency. Firms are discouraged from defaulting to a response of “we’ll fix it on the next engagement” without thought behind that response. It may be the appropriate response but firms should be able to articulate why that is the appropriate response. Furthermore, if the team captain or RAB concludes that the firm’s response and consideration of the applicable standards is not appropriate to address the nonconforming engagement, the team captain should evaluate whether there are other weaknesses in the firm’s system. For example, an inappropriate response may be indicative of a potential failure to comply with the leadership or tone at the top element in the firm’s system of quality control. A failure to properly consider how to address nonconforming engagements may indicate an internal firm culture that fails to promote that quality is essential in performing engagements.
10
CASE #3
System Reviews – MFCs and FFCs
Consider each scenario separately related to System Reviews. It is assumed that each question is separate from the previous or following question within the scenario, unless otherwise indicated. Estimated Time to Complete: 10 Minutes SCENARIO A Luther Dickenson, CPA of the firm NMA, LLC performed a system review. The team captain reviewed a general audit, an audit performed in accordance with Government Auditing Standards, an employee benefit plan audit, a review engagement, and two non-disclosure compilation engagements. There were several “no” answers on each of the engagement checklists but, with the exception of those pertaining to management representation letters, Mr. Dickenson determined they were isolated to the engagements that were reviewed. None of the “no” answers would have caused the engagements to be nonconforming. Because Mr. Dickenson found issues pertaining to management representation letters on several engagements, he wrote an MFC (MFC 1). NOTE: Given the scenario’s description, it is likely that the reviewer raised this MFC to an FFC. However, this scenario only addresses the reviewer’s MFC. MFC 1 Reviewer’s Description of the Matter (include systemic cause, when possible) There were several errors on the management representation letters for three audit engagements supervised by partner John Kimbrough. The errors included: letter was not properly dated; letter did not refer to the comparative year; letter failed to include a representation about estimates. Firm Response Mr. Dickenson advised us that the systemic cause of these errors was probably related to not updating or tailoring letter templates and not properly using our other practice aids. We agree with this systemic cause. Captain Comments None Question 1 Does the reviewer’s description of the matter comply with Peer Review Standards?
Solution 1 Yes. However, the reviewer’s description of the matter should not include any firm identifying information (such as Mr. Kimbrough’s name) and the description should include a systemic cause if one can be identified. In addition, the team captain should work in collaboration with the firm to determine the systemic cause. In this case, there appeared to be a systemic cause but it wasn’t addressed in the MFC. In addition, the reviewer told the firm what the systemic cause was as opposed to collaborating with the firm to identify the systemic cause.
11
Note: The requirement to not include firm identifying information in a matter is not found in the Standards but is due to the AICPA’s project to accumulate the information found in matters to identify and communicate trends. Paragraph .75 of the Standards states, “The team captain, in collaboration with the firm, should determine the systemic cause of matters identified.”
Scenario B Luther Dickenson, CPA of the firm NMA, LLC performed a system review. The team captain reviewed a general audit, two audits performed in accordance with Government Auditing Standards (GAS), an employee benefit plan audit, a review engagement, and two non-disclosure compilation engagements. While completing PRP 4600 (Guidelines for Review of Quality Control Policies and Procedures), Mr. Dickenson noted the reviewed firm’s quality control policies and procedures require individuals in the firm who work on specialized industries (such as those performed in accordance with GAS) to obtain CPE in those industries. The firm’s QCPP also requires individuals who work on engagements performed in accordance with Government Auditing Standards to meet the Yellow Book continuing professional education requirements. On one of the GAS audits, when answering question GA118 in PRP 22,110 (Supplement Checklist for Review of Audit Engagements Performed in Accordance with Government Auditing Standards (Yellow Book) December 2011 Revision) about whether the engagement team members met the Yellow Book continuing professional education requirements, Mr. Dickenson examined the firm’s CPE records. He noted two of the team members did not meet the Yellow Book CPE requirements at the time of the engagement. Mr. Dickenson concluded that the engagement was nonconforming for this reason. A similar problem was not found on the other GAS audit that was reviewed. While reviewing the employee benefit plan audit, Mr. Dickenson examined the CPE records of the engagement team and noted the partner and manager had taken appropriate industry CPE in the 12 months prior to the audit but the senior accountant, while experienced in auditing employee benefit plans, had not. Neither of the engagement team’s two staff accountants had taken relevant CPE. The engagement was conforming. Mr. Dickenson examined the continuing professional education records of other professionals who participated in audits of employee benefits plans and found other instances where industry-specific CPE had not been taken. MFC 1 Reviewer’s Description of the Matter (include systemic cause, when possible) Two members of an engagement team that performed an audit in accordance with Government Auditing Standards did not meet the Yellow Book continuing professional education requirements at the time of the engagement. Three members of an engagement team that performed an audit of an employee benefit plan had not taken industry-specific continuing professional education during the 12-month period before the audit commenced. The firm’s QCPP require that professionals who work in specialized industries obtain industry-specific continuing professional education. The firm’s QCPP also require individuals who work on engagements performed in accordance with Government Auditing Standards to meet the Yellow Book continuing professional education requirements.
12
Firm’s Response The firm agrees with the comments and will ensure that when audits in specialized industries are scheduled that team members have complied with regulatory requirements and with the requirements of our QCPP. FFC 1 Reviewer’s Description of the Finding Two members of an engagement team that performed an audit in accordance with Government Auditing Standards did not meet the Yellow Book continuing professional education requirements at the time of the engagement. This engagement was nonconforming for this reason. Three members of an engagement team that performed an audit of an employee benefit plan had not taken industry-specific continuing professional education during the 12-month period before the audit commenced. Systemic Cause of the Finding The firm failed to comply with its quality control policies and procedures. Were similar findings noted in the prior review? No Are there any non-conforming engagements in this FFC? Yes Reviewed Firm’s Response to the Reviewer’s Findings: The firm’s QCPP require engagement team members on specialized-industry audits have had relevant CPE during the 12-month period prior to the commencement of the engagement. Where necessary, engagement team members are also required to meet regulatory requirements related to continuing professional education. For non-conforming engagements, the response should also describe the following: The firm’s actions taken or planned to remediate the engagements identified on the FFC as non-conforming and the timing of these actions: The firm plans to modify its internally developed engagement scheduling form so it includes a section verifying that QCPP for continuing professional education has been complied with. Question 1 Does MFC 1 comply with Peer Review Standards? If not, what are the errors?
Solution 1 Yes. However, when possible the reviewer’s description of the matter should include a systemic cause. In this case, a systemic cause was identified. Paragraph .75 of the Standards states, “The team captain, in collaboration with the firm, should determine the systemic cause of matters identified.”
Question 2 Does FFC 1 comply with Peer Review Standards? If not, what are the errors?
Solution 2, Part 1 No. The description of the finding should include the applicable requirement of Statements of Quality Control Standards.
13
The description of the FFC could have started as follows, “The Human Resources section of the firm’s Quality Control Document requires the firm to establish policies and procedures designed to provide it with reasonable assurance that it has sufficient personnel with the competence, capabilities, and commitment to ethical principles necessary to perform engagements in accordance with professional standards and applicable legal and regulatory requirements.” Peer Review Standards, paragraph .73 QC Section 10, “A Firm’s System of Quality Control”, Human Resources, paragraph .31 Solution 2, Part 2 No. A systemic cause is a weakness in the firm’s system of quality control that allowed a matter to occur or remain undetected. The systemic cause, as written, simply paraphrased the description of the finding rather than stating WHY the firm didn’t follow the requirements of their QCPP. The systemic cause of the FFC could have stated, “While the firm’s QCPP included appropriate requirements for continuing professional education, the firm did not have an effective tool for ensuring that staff assigned to specialized-industry audits were in compliance with the requirements of the QCPP.” Peer Review Standards, paragraph .75 Solution 2, Part 3 The firm’s response appears to properly address the finding and the systemic cause. However, the response should state when the firm will modify its internally developed schedule and who is responsible for making that happen. The firm should also consider adding information about when staff members who work on Yellow Book engagements will meet the CPE requirements.
14
CASE #4
System Reviews – Nature and Elevation of Matters
Consider each scenario separately related to System Reviews. It is assumed that each question is separate from the previous or following question within the scenario, unless otherwise indicated. Estimated Time to Complete: 15 Minutes SCENARIO A Recall that the relative importance of issues identified during a peer review requires application of professional judgement, and significance determines how a particular issue is communicated to a reviewed firm. Such issues may be communicated on a Matter for Further Consideration (MFC) form, a Finding for further consideration (FFC) form, or included in the peer review report for those reaching the level of a deficiency or significant deficiency. Question 1 What is the basis for communicating an issue to a reviewed firm on an MFC form?
Solution 1 Matters are typically one or more “No” answers to questions in peer review questionnaire(s) that a reviewer concludes warrants further consideration in the evaluation of a firm’s system of quality control. For example, according to paragraph .01 of PRP Section 4951, when the review team encounters situations in which it questions whether a necessary auditing and accounting procedure was performed, a required footnote was disclosed, or a transaction was accounted for correctly, the reviewer should document the issue on an MFC form. As further noted in paragraph .11 of PRP Section 4953, the Disposition of Matter for Further Consideration (DMFC) form should be used to provide a disposition trail of each MFC. The reviewer will indicate on the DMFC whether it was systemically considered as a deficiency or significant deficiency in the peer review report or as a finding on an FFC form, or discussed or cleared with the firm. If the disposition is discussed with the firm, a brief explanation is required on the DMFC form. Additional details to support that disposition should be provided in the “additional comments” section of the MFC. According to paragraph .70a of PRP Section 1000, A peer reviewer notes a matter as a result of his or her evaluation of the design of the reviewed firm’s system of quality control or tests of compliance with it. Tests of compliance include inspection, inquiry, and observation performed by reviewing engagements and testing other aspects of the reviewed firm’s system of quality control. Matters are typically one or more “No” answers to questions in peer review questionnaire(s) that a reviewer concludes warrants further consideration in the evaluation of a firm’s system of quality control.
Question 2 What should a reviewer consider when determining if a matter(s) is elevated to an FFC form?
15
Solution 2 Reviewers must think of matters as symptoms of weaknesses in the firm’s system of quality control. An FFC form should be prepared if there are one or more matters that the peer reviewer believes results in a condition in which there is more than a remote possibility that the reviewed firm would not perform or report in conformity with applicable professional standards in all material respects, but the results were not of such relative importance to include in a report with a peer review rating of pass with deficiencies or fail. The evaluation of a firm’s system of quality control is the primary objective of a System Review and the basis for the peer review report. If a reviewer believes that one or more matters could result in a finding, the peer reviewer should determine the systemic cause in collaboration with the reviewed firm as described by Interpretation 83-1. As a reminder, the description of the finding should include the applicable requirement of Statements on Quality Control Standards, the scenario that led to the finding, and should reference nonconforming engagements as a result of the finding, if applicable. Furthermore, multiple matters may result from the same condition in the firm’s system of quality control and therefore should be aggregated to the same FFC form accordingly.
According to paragraph .70b of PRP Section 1000, a finding is one or more related matters that result from a condition in the reviewed firm’s system of quality control or compliance with it such that there is more than a remote possibility that the reviewed firm would not perform or report in conformity with applicable professional standards. A peer reviewer will conclude whether one or more findings are a deficiency or significant deficiency. If the peer reviewer concludes that no finding, individually or combined with others, rises to the level of deficiency or significant deficiency, a report rating of pass is appropriate.
Question 3 What should a team captain consider before elevating a matter(s) or finding(s) to the peer review report? What is the distinction between a deficiency and a significant deficiency?
Solution 3 A team captain must use professional judgment in determining the type of peer review report to issue. This judgment requires the consideration of several factors, including an understanding of the firm’s system of quality control and the nature, systemic causes, pattern, and pervasiveness of matters and their relative importance to the firm’s system of quality control taken as a whole, including limitations on the scope of the review. Deficiencies are conditions related to the firm’s design of and compliance with its system of quality control that could create a situation in which the firm would have less than reasonable assurance of performing or reporting in conformity with applicable professional standards in one or more important respects due to the nature, systemic causes, pattern, or pervasiveness, including the relative importance of the deficiencies to the quality control system taken as a whole. By nature, findings, deficiencies, and significant deficiencies relate to a condition(s) in a firm’s system of quality control, however there are certain distinctions:
16
• A finding results when there is more than a remote possibility the firm would not perform or report in conformity with applicable professional standards, whereas
• A deficiency results when the team captain concludes the firm would not have reasonable assurance of performing or reporting in conformity with applicable professional standards in one or more important respects.
• A significant deficiency results when the team captain concludes the firm’s system of quality control is not suitably designed to provide the firm with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects or the firm has not complied with its system of quality control to provide the firm with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects.
A deficiency is defined in paragraph .70c of PRP Section 1000, which is one or more findings that the peer reviewer has concluded, due to the nature, systemic causes (see paragraph .75), pattern, or pervasiveness, including the relative importance of the finding to the reviewed firm’s system of quality control taken as a whole, could create a situation in which the firm would not have reasonable assurance of performing or reporting in conformity with applicable professional standards in one or more important respects. It is not a significant deficiency if the peer reviewer has concluded that except for the deficiency or deficiencies, the reviewed firm has reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects. A significant deficiency is defined in paragraph .70d of PRP Section 1000, which is one or more deficiencies that the peer reviewer has concluded results from a condition in the reviewed firm’s system of quality control or compliance with it such that the reviewed firm’s system of quality control taken as a whole does not provide the reviewed firm with reasonable assurance of performing or reporting in conformity with applicable professional standards in all material respects.
17
CASE #5
System Reviews – Nonconforming Engagements
Consider each scenario separately related to System Reviews. It is assumed that each question is separate from the previous or following question within the scenario, unless otherwise indicated. Estimated Time to Complete: 20 Minutes SCENARIO A Peer review guidance provides some “bright lines” when determining if an engagement is nonconforming, however it also allows reviewers to exercise professional judgment when making those determinations. Throughout this case we will be discussing situations where a team captain has to make a determination about whether an engagement conforms with professional standards in all materials respects. The following excerpts from guidance are provided to assist in this discussion. Paragraph .66 of PRP Section 1000 states:
“For each engagement reviewed, the review team should conclude on its review by documenting whether anything came to its attention that caused it to believe that the engagement was not performed or reported on in conformity with applicable professional standards in all material respects (see interpretations).”
Interpretation 66-1 of PRP Section 2000 states:
Question—Paragraphs .66–.67 and .109 of the standards requires the review team to conclude on the review of an engagement by determining whether the engagement was performed or reported on in conformity with applicable professional standards in all material respects. How should this conclusion be made? Interpretation—The review team should use practice aids that document, for each engagement reviewed, whether anything came to the review team’s attention that caused it to believe the following, as applicable:
a. The financial statements were not in conformity with GAAP in all material respects or, if applicable, with a special purpose framework and the auditor or accountant’s report was not appropriately modified.
b. The firm did not perform or report on the engagement in all material respects in accordance with generally accepted auditing standards and other applicable standards; for example, Government Auditing Standards.
c. The firm did not perform or report on the engagement in all material respects in accordance with SSARS.
d. The firm did not perform or report on the engagement in all material respects in accordance with SSAEs or any other applicable standards not encompassed in the preceding.
In Engagement Reviews, these results should be considered by the review captain in determining the type of report to issue.
18
Question 1 In addition to the guidance provided earlier in this case, what are other resources or tools that you use when assessing nonconformity?
Solution 1 Some of the peer review checklists (EBP, Broker-Dealer, and PCAOB) include bolded questions. When a bolded question is answered “no”, there is a presumption the engagement is nonconforming. The peer review checklists also include a section at the end to document all “no” answers to evaluate the aggregated impact of all of the issues identified on a given engagement. Additionally, while Appendix E to PRP Section 6200 is designed for Engagement Reviews, many reviewers and RABs use that guidance by analogy in System Reviews to assist with judgment calls on review, compilation, and preparation engagements. Other items that may be discussed include: 1) Other resources such as Peer Review Alerts 2) An overall summary of “no” answers. Some reviewers use this in lieu of the section
provided within each engagement checklist. 3) Professional experience obtained from other reviews performed, including feedback
received from technical reviewers, other peer reviewers, and RABs. 4) Consultation with other reviewers or members of the team captain’s firm, the
Administering Entity, and the AICPA.
SCENARIO B Question 1 While reviewing a defined benefit plan, you noticed that the auditor did not select an adequate sample of participants to test the census data. They tested eligibility and agreed participant data to the personnel files for their selected sample, but the sample size appeared inadequate and they failed to perform any procedures to test completeness of the census data. Question A225 from the Employee Benefit Plan Checklist is provided below for reference. Would you mark the question “no”; why or why not? Would you consider the engagement nonconforming; why or why not?
Question A225 For defined benefit and health and welfare plans, did the auditor perform and document adequate substantive audit procedures to test the following assertion relevant to participant census data used by the actuary to compute accumulated plan benefits and other material benefit obligations (including postretirement obligations)? [AAG-EBP 6.186e and 7.229e]
• Participant census data is complete and accurate [AAG-EBP 6.188a and 7.227a] – Consider documentation of the following example audit procedures
example procedures: [AAG-EBP 6.190e and 7.229e] (refer to AAGEBP for a complete list of examples, as this list is not all-inclusive) • Selecting a sample of participants from census data to determine that
participants are eligible based upon provisions in the plan document
19
and agreeing significant participant information with personnel files, and payroll information (if valuation inputs include compensation)
• Obtaining and reviewing reconciliation of aggregate census data. • Verifying proper inclusion of all eligible participants by agreeing totals
to plan sponsor’s personnel and payroll records, or testing a sample of all potential participants for proper inclusion/exclusion
• Obtaining and reviewing rollforward of census data from one year to the next and determine whether changes are reasonable and consistent with other audit evidence
• Directly confirming aggregate participant data used in the actuarial valuation with the plan’s actuary
Solution 1 Professional judgement will need to be applied when considering the answers to these questions, in addition to the actual content of the audit working papers. Additionally, the response to this question should be aggregated with any other “no” answers in determining if the engagement is nonconforming. If A225 is determined to be a “no” answer, it would be the result of a single italicized sub-bullet and there was some testing done, it would be possible for a team captain to overcome the presumption that the engagement is nonconforming. If the team captain believes the engagement conforms to professional standards in all material respects, this would need to be thoroughly documented in the SRM. If other supporting evidence is not available in the workpapers or if there are other “no” answers on the engagement, the team captain very well could conclude that the engagement is nonconforming. The fact pattern indicates there was an inadequate sample, which implies there was some testing. Most likely, insufficient testing would result in a “no” answer on the checklist. Question A225 was provided in the question as it is a bolded question with italic sub-bullets, but there is another question, A301, which reads “Did the auditor consider and document the following, with regard to audit sampling?” (the sub-bullets have been removed for brevity). For this scenario, it is possible that one or both of these questions could have a “no” answer. As a reminder, within the EBP checklist, italicized questions and bullets are not required steps, but examples of what the auditor could have done to test a relevant assertion. It is possible for the firm to perform other testing over the relevant assertion to obtain the necessary assurance.
SCENARIO C Throughout this scenario, you are reviewing an audit and you noticed that the period covered was within the implementation period for FASB ASC 606, Revenue from Contracts with Customers (ASC 606). Each of the subsequent questions will be based off of this audit but will have a slightly different fact pattern. Discuss how these factors impact your determination about whether the engagement would be considered nonconforming.
20
Question 1 As you are reviewing the workpapers and financial statements, you see no indication the audit client or auditor considered ASC 606. Based on this factor alone, would you consider the engagement nonconforming; why or why not?
Solution 1 Most likely, a lack of consideration of the implementation of a new accounting standard would result in a nonconforming engagement.
Question 2 Building on question 1, you asked the auditor for clarification regarding the implementation of ASC 606, or lack thereof, and the auditor said the client indicated there would be no material impacts and therefore there was nothing to disclose. Would you consider the engagement nonconforming; why or why not?
Solution 2 Most likely, this would still result in a nonconforming engagement. Despite the expected immaterial impact, there are disclosure aspects that do not appear to have been considered. Additionally, it does not appear the auditor has documented any evaluation of the client’s assessment as there is no documentation in the audit workpapers.
Question 3 For this question, do not consider the facts discussed in questions 1 and 2. As you are reviewing the workpapers and financial statements, you see the auditor documented their consideration of the client’s implementation of ASC 606 and agree there would be an immaterial impact associated with the implementation. You also see some of the disclosures are in accordance with ASC 606, but not all of the elements are present. You do not believe the items that are missing would be misleading to the users of the financial statements. Would you consider the engagement nonconforming; why or why not?
Solution 3 It is possible that this would not result in a nonconforming engagement. The team captain will have to use professional judgment in determining the level of noncompliance and whether or not it rises to the level of noncompliance in all material respects. When team captains encounter this scenario in practice, it will be very important for them to fully document what was present and what was missing so that technical reviewers and RABs can have a full understanding of the situation.
Question 4 For this question, do not consider the facts discussed in questions 1, 2, or 3. As you are reviewing the workpapers and financial statements, you see the auditor documented their consideration of the client’s implementation of ASC 606 and they properly included the related disclosures in the financial statements. However, you believe the guidance was misapplied, resulting in material issues in the financial statements. After consulting with the auditor, they agree with your assessment. Would you consider the engagement nonconforming; why or why not?
21
Solution 4 Most likely, this would result in a nonconforming engagement as there are material issues impacting the financial statements.
SCENARIO D Throughout this scenario, you are reviewing engagements performed under SSARS. Discuss each situation and determine whether the engagement would be considered nonconforming. Question 1 You are reviewing the workpapers and financial statements for a review engagement. The firm had inadequate documentation related to their analytical procedures and inquiries of management. Would you consider the engagement nonconforming, why or why not?
Solution 1 In this situation, the review engagement would normally be considered nonconforming. Under the section titled List of Matters and Findings That Generally Would Result in a Deficiency or Significant Deficiency within Appendix E of PRP Section 6200, it states “for review engagements, failure to document the matters covered in the accountant’s inquiry and analytical procedures.” When used by analogy in a system review, this would typically result in a nonconforming engagement.
Question 2 You are reviewing a compilation engagement. As you are reviewing the report, you noticed the firm did not include a paragraph regarding the omission of supplemental information. Would you consider the engagement nonconforming, why or why not?
Solution 2 In this situation, the compilation engagement would normally be considered conforming in all material respects. Under the section titled List of Matters and Findings That Generally Would Not Result in a Deficiency within Appendix E of PRP Section 6200, it states “compilation reports that failed to include the paragraph regarding the omission of supplemental information as applicable in the circumstances.” When used by analogy in a system review, this would typically result in a conforming engagement.
22
CASE #6
System Reviews – Common Requests for Revisions from Technical Reviewers
Consider each scenario separately related to System Reviews. It is assumed that each question is separate from the previous or following question within the scenario, unless otherwise indicated. Estimated Time to Complete: 15 Minutes SCENARIO A Once submitted to the Administering Entity (AE), all peer reviews undergo a technical review before being presented to a report acceptance body (RAB). A primary purpose for performing technical reviews is to anticipate the questions that the RAB might have, this includes ensuring that the peer review documentation (SRM, MFCs, FFC, Report, etc.) is comprehensive, complete, and prepared in accordance with standards. As a result of the technical review, the technical reviewer may have questions for the team captain. Throughout this conference case, we are going to discuss the most common revisions requested by technical reviewers and how to prepare your peer review documentation in a way that helps reduce the number of questions you receive during the technical review process. Question 1 What are the most common revision requests you receive from technical reviewers? As a group, discuss ways to enhance your peer review documentation to reduce the number of times you receive these requests.
Solution 1 This question is for discussion purposes only. We received the following antidotal feedback from technical reviewers regarding the items they most commonly request revisions for, or clarification of. Encourage participants to brainstorm ways to improve their processes and documentation to reduce the amount of technical reviewer questions they receive.
1. Request for revisions to FFCs because they are not written systemically and do not include the appropriate reference to SQCS.
• Paragraph .73 of PRP Section 1000, in part, states “…The description of the finding should include the applicable requirement of Statements on Quality Control Standards, the scenario that led to the finding, and should reference nonconforming engagements as a result of the finding, if applicable. …” Whereby, the description is the ‘what’ and the systemic cause is the ‘why.’ When completing FFC forms, reviewers should ensure all elements listed in paragraph .73 are present before submitting the review to the AE.
2. Request for revisions to the representation letter because it incorrectly omitted the sentence referring to nonconforming engagements.
23
• Paragraph .208c.i. in Appendix B to PRP Section 1000 states: c. Firm Remediation of Nonconforming Engagements, if applicable
i. Confirm it will remediate nonconforming engagements as stated by the firm on the Matter For Further Consideration Form, Finding for Further Consideration Form, or Letter of Response, as applicable.
The example language is also found in Appendix B, within the second example, titled “Illustration of a Representation Letter That Has Been Tailored for Significant Matters to Report to the Team Captain for a System Review.” The sentence should be placed under the listing of must-select engagements that are performed by the firm and should read:
We confirm that we will implement the remedial plans for nonconforming engagements stated in our response to [insert relevant form, for example ‘Finding for Further Consideration Form 1’].
If nonconforming engagements exist, ensure this sentence is included in the representation letter before submitting the review to the AE.
3. There are several areas that lead to common requests for revisions to the report.
• The most frequent is ensuring the must-select paragraph is correct in terms of singular vs. plural.
• When the firm performs engagements under PCAOB standards, reviewers should ensure they include the "applicable to engagements not subject to PCAOB permanent inspection" statement in the first and last paragraph.
• Similar to common requests for revisions to FFC forms, technical reviewers commonly request revisions to the report regarding deficiencies and significant deficiencies to ensure they appropriately include the description, the systemic cause, and the reference to the applicable SQCS. Performing a thorough review of the report prior to submitting the review to the AE can significantly reduce the number of requests for revision to the report.
4. As stated in the RAB Handbook, “the function of the technical review is to evaluate whether the documents reviewed all “hang together,”.” This includes ensuring that the SRM appropriately documents the critical elements of the review. When documentation within the SRM is inconsistent with other information provided, the technical reviewer will ask for clarification. This can result in a request to provide an updated SRM. Common areas that technical reviewers request clarification on in the SRM include a lack of, or insufficient, explanation of
• the report rating
24
• scope expansion
• why an engagement wasn’t considered nonconforming
• consideration of the results from the prior peer review
• inconsistencies between the SRM and PRIMA. Team captains are encouraged to thoroughly document their rational and conclusions, particularly with regard to ‘borderline’ judgment calls.
